From: GAYNOR, RYAN C. (CD) (FBI) 

Sent: Tuesday, October 04, 2016 9:00 AM 

To: WIERZBICKI, DANIEL S. (CG) (FBI); HEIDE, CURTIS A. (CG) (FBI); SANDS, ALLISON 
(CG) (FBI) | 

Cc: MOFFA, JONATHAN C. (CD) (FBI); PIENTKA, JOE (WF) (FBI); AUTEN, BRIAN J. (CD) 
(FBI) 

Subject: RE: Status update on ALFA BANK case — 


Classification: NS 


Classified By: F24M49K23 
Derived From: FBI NSIC dated 20120629 
Declassify On: 20411231 


oe rr tr rr it o + + 


Got it and being discussed at HO. Before we make any decisions on that front, we 
will need to know what we can learn from the logs we have now obtained regarding 
the nature of the actual activity between Alfa Bank and the domain/server. 


CG and MM have done great work on this and it is very much appreciated here. We 
_ continue to highlight the progress on this matter to CD and CyD leadership on a daily 
basis. 


Best Regards, 
-Ryan 


From: WIERZBICKI, DANIEL S. (CG) (FBI) 

Sent: Monday, October 03, 2016 3:00 PM 
To: HEIDE, CURTIS A. (CG) (FBI); GAYNOR, RYAN C. (CD) (FBI); SANDS, ALLISON (CG) 
(FBI) 

Cc: MOFFA, JONATHAN C. (CD) (FBI); PIENTKA, JOE (WF) (FBI); AUTEN, BRIAN J. (CD) 
(FBI) l 

Subject: RE: Status update on ALFA BANK case --- 
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Classified By: F97M34K34 
Derived From: FBI NSIC dated 20120629 
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| agree with Curtis.an interview with the source of info would be the logical step in 
this (as well as any) investigation. It may allow us to understand the what and why 
of the white paper. ` 


From: HEIDE, CURTIS A. (CG) (FBI) 

Sent: Monday, October 03, 2016 2:49 PM 

To: GAYNOR, RYAN C. (CD) (FBI); SANDS, ALLISON (CG) (FBI) 

Cc: MOFFA, JONATHAN C. (CD) (FBI); PIENTKA, JOE (WF) (FBI); AUTEN, BRIAN J. (CD) 
(FBI); WIERZBICKI, DANIEL S. (CG) (FBI) 

Subject: RE: Status update on ALFA BANK case --- MS 


Classification: en, 


Classified By: J91144T84 
Derived From: FBI NSIC dated 20130301 
Declassify On: 20411231 


Yeah, we got the logs from MM so we'll look through those for these IPs. 


We really want to interview the "source" of all this information. Any way we can 
track down who this guy is and how we're getting this information? 


Curtis 
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312-829-8432 


From: GAYNOR, RYAN C. (CD) (FBI) 

Sent: Monday, October 03, 2016 1:48 PM 

To: HEIDE, CURTIS A. (CG) (FBI); SANDS, ALLISON (CG) (FBI) 

Cc: MOFFA, JONATHAN C. (CD) (FBI); PIENTKA, JOE (WF) (FBI); AUTEN, BRIAN J. (CD) 
(FBI) 

Subject: RE: Status update on ALFA BANK case --- 


Classification: MS 


Classified By: F24M49K23 
Derived From: FBI NSIC dated 20120629 
Declassify On: 20411231 
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Curtis, 


Just read the lead info on unet. Please try to obtain any background info on how we 
received the new 'anonymous information' related to the new 'person of interest' 
because | am sure that we will be asked up here. The new information just creates 
more questions for now. One could/might now assume the leaps of logic (VPN/TOR 
etc) within the original white paper were based on the author of the whitepaper 
having a 'Person of Interest' they started their investigation from? 


Will standby for CG/MM thoughts. 


Thanks all, 
-Ryan 


From: HEIDE, CURTIS A. (CG) (FBI) 
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Sent: Monday, October 03, 2016 1:38 PM 
To: GAYNOR, RYAN C. (CD) (FBI); SANDS, ALLISON (CG) (FBI) 
Cc: MOFFA, JONATHAN C. (CD) (FBI); PIENTKA, JOE (WF) (FBI); AUTEN, BRIAN J. (CD) 
(FBI) i l , 
Subject: RE: Status update on ALFA BANK case NO 


Classification: MS 


Classified By: J91J44T84 
` Derived From: FBI NSIC dated 20130301 
Declassify On: 20411231 


Ryan, 


It appears that Allison is out today. | just got into the office. Hit me up if you need 
anything. 


We got another lead related to the iisi portion with Alfa Bank. I'll forward it to 
everyone on this chain. 


Curtis 


- 312-829-8432 


From: GAYNOR, RYAN C. (CD) (FBI) 

Sent: Monday, October 03, 2016 7:45 AM 

To: SANDS, ALLISON (CG) (FBI); HEIDE, CURTIS A. (cs) (FBI) 

Cc: MOFFA, JONATHAN C. (CD) (FBI) 

Subject: FW: Status update on ALFA BANK case --- ay 
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Hope you both had a great weekend. Any Updates for today? Has Miami obtained 
the server logs from Central Dynamics or have a projected timetable for when they 
will? If not, and if they cannot give a timetable for when they will, would it be 
prudent to serve the NSL on Listrak? 


Thanks, 
-Ryan 


From: GAYNOR, RYAN C. (CD) (FBI) 

Sent: Wednesday, September 28, 2016 2:58 PM 

To: SANDS, ALLISON (CG) (FBI); HEIDE, CURTIS A. (CG) (FBI) 

Subject: RE: Status update on ALFA BANK case --- MS 


Classification: MS 


Classified By: F24M49K23 
Derived From: FBI NSIC dated 20120629 
Declassify On: 20411231 


Curtis/Allison, 


Any updates for tomorrow? If possible, any time estimates on when you will have 
the logs you need to conduct the next analysis would be helpful at HQ. 


Thanks, 
-Ryan 
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From: SANDS, ALLISON (CG) (FBI) 

Sent: Monday, September 26, 2016 6:20 PM ~ 

To: MARIC, PAUL M. (CD) (FBI); PIENTKA, JOE (WF) (FBI); AUTEN, BRIAN J. (CD) (FBI); 
STOFER, JOHN F. (CD) (FBI); GAYNOR, RYAN C. (CD) (FBI) 

Cc: WIERZBICKI, DANIEL S. (CG) (FBI); HEIDE, CURTIS A. (CG) (FBI) 

Subject: Status update on ALFA BANK case --- 


Classification: 


Classified By: COOB95073 
Derived From: FBI NSIC dated 20130301 
Declassify On: 20411231 


Good afternoon, 


We have several updates on the ALFA BANK case to pass along: 
* The agent in Miami who has been working with Central Dynamics received an 
email from an executive at Central Dynamics stating that they checked the servers 
for the last 30 days, and the only IP they detected hitting the server was 167.73.11.8. 
This is the IP address mentioned in the white paper that resolves to SPECTRUM 
HEALTH. It is unclear at this time what kind of communication was this "hit" is 
referring to. We are still waiting on the server logs to conduct our own forensic 
investigation of any network activity on this domain. 
* NSLs are in draft and will soon be available for delivery to LISTRAK, the ISP that 
hosts the trump-email.com domain, and GoDaddy.com. We will seek to obtain any 
logs available on the LISTRAK server that relate to the trump-email.com domain, and 
subscriber data, any domains and subdomains affiliated with subscriber, IP logs, and 
billing information on trump-email.com domain from GoDaddy.com 
* Our OGA partners conducted an assessment of ALFA BANK traffic affiliated with the 
- three IP addresses listed in the white paper (217.12.97.15, 217.12.96.15, 
79.134.218.13). They found no anomalous activity on these DNS servers. We 
requested additional analysis specifically looking for any instances of these DNS 
servers querying any email servers. 
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* Open source research on the current and historical lists of Tor exit nodes published 
by the Tor Project (torporject.org) covering the time period of May 4 2016 - Sept 4 
2016, revealed no matches to the SPECTRUM HEALTH IP (167.73.110.8). Normally, a 
Tor exit node would appear in this list if it were active during the reviewed time 
period. Under normal conditions, the historical data used for searching is captured 
at a rate of once per hour, every hour, every day. This is further evidence that the 
white paper's claim about SPECTRUM HEALTH being an exit node - exclusive for ALFA 
BANK or otherwise -- is not supported by technical analysis. As far as we know, there 
is no way to create an exclusive TOR exit node- doing so would by default decrease 
the anonymity of the Tor user. Further, in addition to being a technically 
questionable practice, the use of Tor networks in general is inconsistent with Russia's 
TTPs for obfuscating its network activities. 

As always, I'm happy to answer any questions. 


Best, 


Special Agent Allison Sands 
Chicago Division/ CY-1 
desk: 312-829-8628 
mobile: 312-965-5872 


From: SANDS, ALLISON (CG) (FBI) 

«Sent: Friday, September 23, 2016 1:53 PM 

To: SANDS, ALLISON (CG) (FBI); MARIC, PAUL M. (CD) (FBI); PIENTKA, JOE (WF) (FBI); 
AUTEN, BRIAN J. (CD) (FBI); STOFER, JOHN F. (CD) (FBI) 

Cc: WIERZBICKI, DANIEL S. (CG) (FBI); HEIDE, CURTIS A. (CG) (FBI) 

Subject: Status update on ALFA BANK case --- 
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Good afternoon, 


Miami followed up this morning with Central Dynamics who confirmed that the 
mail1.trump-email.com domain is an old domain that was set up in approximately 
2009 when they were doing business with Trump Organization that was never used. 
They released the domain via GoDaddy to the Trump Organization over a year ago; 
however, the DNS tables were not updated and that domain still pointed to Central 
Dynamics servers. As of this afternoon, a WHOIS look-up revealed that the 

. mail1.trump-email.com no longer resolves to Central Dynamics, indicating they likely 
updated their DNS tables after the FBI informed them of the qversight This email 
domain is no longer pointing to any active mail server. 


Central Dynamics provided reviewed a picture of a Barracuda (spam filter) service 
connected to server [trump-email.com]. The information displayed by the Barracuda 
spam filter for trump-email.com indicates that during an unspecified time period, 15 
inbound emails were received, 1 was allowed to pass through the filter, and 1 
outbound email was marked as spam and blocked. The information provided only 
reflects email smtp traffic, and we have requested that Miami obtain logs for the 
email server on which the domain was residing to identify whether or not there was 
any other traffic (non-smtp) that indicates malware or another ALFA BANK traffic 
(including the alleged DNS queries) residing on the server. 


With regards to the request for information for coverage on ALFA BANK from our 
OGA partners, we are hoping to start receiving information within the next day or 
two. | will send updates if we receive any pertinent traffic coming from ALFA BANK. 


Respectfully, 


Allison Sands 
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From: SANDS, ALLISON (CG) (FBI) 

Sent: Thursday, September 22, 2016 4:53 PM 

To: MARIC, PAUL M. (CD) (FBI); PIENTKA, JOE (WF) (FBI); AUTEN, BRIAN J. (CD) (FBI); 
STOFER, JOHN F. (CD) (FBI) 

Cc: WIERZBICKI, DANIEL S. (CG) (FBI); HEIDE, CURTIS A. (CG) (FBI) 

Subject: RE: Status update on ALFA BANK case —- 


Classification: MMMM 
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Declassify On: 20411231 


Miami made contact with Central Dynamics, who confirmed that trump-email.com is 
a legitimate mail server that is used by Trump Hotels. Agent spoke to an executive at 

. Central Dynamics, who agreed to cooperate with the FBI and will provide logs as 
requested. Agent will return to Central Dynamics tomorrow morning to meet with 
the technology support staff. We will provide Central Dynamics with the three IP 
addresses of specific interest for ALFA BANK and SPECTRUM HEALTH and specifically 
request for any logs related to that network traffic. Central Dynamics also provides 
email support for Trump.com, but moved the trump.com email servers to another 
server due to the high frequency of malicious attacks to those accounts. 


Best, 
Special Agent Allison Sands 
Chicago Division/ CY-1 


desk: 312-829-8628 
mobile: 312-965-5872 
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From: SANDS, ALLISON (CG) (FBI) 

Sent: Thursday, September 22, 2016 4:22 PM 

To: PIENTKA, JOE (WF) (FBI); AUTEN, BRIAN J. (CD) (FBI); STOFER, JOHN F. (CD) (FBI); 
MARIC, PAUL M. (CD) (FBI) 

Cc: WIERZBICKI, DANIEL S. (CG) (FBI); HEIDE, CURTIS A. (CG) (FBI) 


Subject: Status update on ALFA BANK case --- 


Classification: MO 


-Classified By: COOB95073 
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Good afternoon, 


As of 1500 today 9/22/16, CG CY-1 have conducted the following investigation 
actions in support of the forthcoming case on ALFA BANK: 


* FBI CG CY-1 submitted an EC to open a full investigation - pending ASAC and SAC 
approval 

* CY-1 Computer scientists extracted files from source thumb drive for future 
analysis on OPWAN. 

* Case agents coordinated with Cyber Division (POC Scott Hellman) to examine 
technical inconsistencies in the white papers methodologies and conclusions. 
Overall, ECOU assesses that the claims put forth in the white paper are invalid. Some 
key points: 

o There is no network traffic between the ALFA BANK and the trump-email.com 
domains, only DNS queries; 

o There is no evidence to support that the suspect email is currently tied to the 
TRUMP ORGANIZATION- the details of the registration do not match any of the 
legitimate TRUMP ORGANIZATION mail servers; 

o An error message on port 25 does not indicate that the server is set up specifically 
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to only communicate to designated IP addresses; and 

o A "secret" communications portal is unlikely to have "email" or "trump" in the 
domain name and would unlikely communicate directly to ALFA ABNK's IP address. 

o There is a lack of supporting evidence tying the ALFA BANK to the SPECTRUM 
HEALTH DNS queries. 1 
* Case agents researched the legitimate mail servers affiliated with trump.com, and 
mail1.trump-email.com is not among them. Trump.com appears to be protected by 
a anti-DDOS service called CLOUDFARE in San Francisco, where trump-email.com 
does not. 

* Research on the trump-email.com domain, the parent domain to the suspect 
mail1.trump-email.com, revealed that the domain is registered to Central Dynamics 
Corporation, Boca Raton, FL. According to open source, Central Dynamics provides IT 
services to the Hotel industry that did some marketing for the Trump Organization in 
approximately 2007-2009 (the mail1.trump-email.com domains was created in 
August 2009). Case agents cut a lead to Miami (POC SSA Jason Manar) to contact 
Central Dynamics to gather information about the trump-email.com domain using a 
ruse that the FBI is contacting them to see if this is a legitimate email account and 
not a spoof email account having the potential to send spear-phishing or other cyber 
criminal threats, and Highlight that the Registrant Organization was listed as Trump 
Orgainzation [sic] which could be an indication of malicious intent. Requested server 
logs if possible. 

* A WHOIS search revealed that the suspect email domain is being hosted on a 
Listrak server in Litiz, PA. Case agents contacted Philadelphia (POC SA Joshua 
Hubiak) and put Harriburg RA on standby to contact Listrak to gather any 
information possible about the trump-email.com domain. Philadelphia will wait to 
approach Listrak pending the outcome of the conversation with Central Dynamics. 
(NSL will be issued tomorrow if warranted) 

* IP addresses associated with the suspect email domain mail1.trump-email.com (IP 
address 66.216.133.29) and SPECTRUM HEALTH, the suspected TOR exit node (IP . 
address 167.73.110.8) were run through Lighthouse records (POC David Garn). 
Results are as follows: 

o Over the last six months, there are hits for IP address 167.73.110.8 on several CMs, 
all of which are China related. Going back further than six months, there was 
occasional activity on several FBI i CMs (100 to 200 packets 
during a 24-hour period) as well as a very small number of packets to some OGA CMs 
associated with China. 
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o There is far less in LH related to IP address 66.216.133.29. P 


eS 
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* OGA partner conducted database checks and a reporting trace on ALFA BANK 
network activity; both yielded no results relevant to the current investigation. OGA 
partner requested formal request for information to OGA partner for active targeting 
of foreign subjects. (Request forthcoming) 


Respectfully, 


Special Agent Allison Sands 
Chicago Division/ CY-1 
desk: 312-829-8628 
mobile: 312-965-5872 
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